-
其它链接及资源

-
漏洞信息

漏洞名称:ISS RealSecure 3.2.x Fragmented SYN数据包DoS漏洞

紧急程度:中危

漏洞类型:其他

发布日期:2000-10-20 00:00:00

更新日期:2005-10-20 00:00:00

攻击路径:远程※本地

详细介绍:

ISS RealSecure 3.2.1和3.2.2版本存在漏洞。远程攻击者可以借助带有SYN标志设置的分段数据包导致服务拒绝。

-
公告与补丁

The official response from ISS on this issue is as follows: We have currently identified and can confirm the following based on exploit information in the security bulletin and what we have received from Modulo and ISS research of the issues: (1) A patch for Network Sensor 3.2.2 is available to fix the Syn Flood issue. You must have an updated maintenance license before downloading and installing this patch. Please read the release notes first before installing. The patch can be downloaded at:

ftp://ftp.iss.net/private/support/patch/realsecure32/ (2) RealSecure 5.0 is not affected by the Syn Flood issue brought up in the security bulletin, (3) The command provided by Modulo produces a flood of ipfrag events (thus throttling the console), but does not otherwise affect the engine. RealSecure Network Sensor 5.0 contains a filter on the ipfrag event which prevents it from being logged more than once per source ip / destination ip pair. Since RealSecure Network Sensor 3.2 supports the advanced dialog through the console's policy editor, the ipfrag event can be tweaked to also use these same filter settings, preventing the console flood: same_source_ip same_destinaion_ip protect_from_flood

-
漏洞信息

-
漏洞描述

Internet Security Systems RealSecure intrusion detection software contains a flaw that allows a remote denial of service. The issue is caused when an attacker sends a specially crafted fragmented packets with the SYN flag set. When the sensor receives these, it will overflow a buffer and crash the sensor.

-
时间线

公开日期:
2000-08-22

发现日期:
Unknow

利用日期:Unknow

解决日期:Unknow

-
解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, ISS has released a patch (3.2.2patch) to address this vulnerability.

-
受影响的程序版本

-
漏洞讨论

On NT, after crashing the service will restart, and generates an Application Log event. If the packets are continuosly resent, detection is effectively halted while the service repeatedly restarts.

On Solaris, the process crashes, all detection stops, and a report is generated to the console. Also, on Solaris it is possible to crash the process with a flood of unfragmented packets if certain flgas (in addition to SYN) are set.

-
漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

-
解决方案

The official response from ISS on this issue is as follows:

We have currently identified and can confirm the
following based on exploit information in the security bulletin and what
we have received from Modulo and ISS research of the issues:

(1) A patch for Network Sensor 3.2.2 is available to
fix the Syn Flood issue. You must have an updated maintenance license
before downloading and installing this patch. Please read the release
notes first before installing. The patch can be downloaded at:

ftp://ftp.iss.net/private/support/patch/realsecure32/

(2) RealSecure 5.0 is not affected by the Syn Flood
issue brought up in the security bulletin,

(3) The command provided by Modulo produces a flood
of ipfrag events (thus throttling the console), but does not otherwise
affect the engine. RealSecure Network Sensor 5.0 contains a filter on the
ipfrag event which prevents it from being logged more than once per source
ip / destination ip pair.

Since RealSecure Network Sensor 3.2 supports the
advanced dialog through the console's policy editor, the ipfrag event can
be tweaked to also use these same filter settings, preventing the console
flood:
same_source_ip
same_destinaion_ip
protect_from_flood